| Summary: | HSTS synthesized redirect responses should not be blocked by CORS | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Alex Christensen <achristensen> | ||||||
| Component: | WebKit Misc. | Assignee: | Alex Christensen <achristensen> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Normal | CC: | cdumez, webkit-bug-importer, youennf | ||||||
| Priority: | P2 | Keywords: | InRadar | ||||||
| Version: | WebKit Nightly Build | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Attachments: |
|
||||||||
|
Description
Alex Christensen
2022-05-26 23:13:06 PDT
Created attachment 459803 [details]
Patch
Created attachment 459975 [details]
Patch
Comment on attachment 459975 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=459975&action=review > Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:640 > + NSString *origin = [request valueForHTTPHeaderField:@"Origin"] ?: @"*"; If there is no origin header, we probably do not need to add AccessControlAllowOrigin header. Adding it with '*' does not harm though. > Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:642 > + networkDataTask->willPerformHTTPRedirection(WTFMove(synthesizedResponse), request, [completionHandler = makeBlockPtr(completionHandler), taskIdentifier, shouldIgnoreHSTS](auto&& request) { Seems fine for now. There are corner cases that will not work (CORS preflight for instance) In the future, we could add a dedicated HSTS upgrade signal and let NetworkResourceLoader/NetworkLoadChecker deal with the full case. Committed r295230 (251284@main): <https://commits.webkit.org/251284@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 459975 [details]. This landed as 251285@main, NOT 251284@main. |